December 12, 2007

eBay Phishing for High Value Accounts

I've been actively selling some items on eBay for the last couple of months. After years of accumulating "stuff," it's time to start simplifying. Prices have been all over the board, but one item that closed this evening would certainly be classified as a high-end item. It's the only item to which I had attached a reserve price just to make sure I wouldn't get too burned on it. I had received a few inquiries about the item via eBay's My Messages system. It's the only way an eBay seller or buyer should communicate with another party regarding a still-running auction because you need an eBay account to initiate a message.

A mistake that some eBayers must make is to use the My Messages mechanism that sends a copy of each incoming message to your regular account email address, and then respond using regular email. It's definitely convenient to get the messages in your inbox, because you're more likely to notice an inquiry that appears in your inbox than remembering to check your eBay account page every now and then. I, in fact, have the email copies sent to my inbox. But (and this "but" is bigger than my butt) I handle the reading and responding of such messages solely on the eBay site that I have bookmarked. This is to prevent a phisher from slipping a lookalike message into my email inbox without using the eBay mail system.

However...

The crooks are also using the eBay mail system to phish for accounts. A few hours before the end of my high-value item auction, I received a message via the genuine eBay My Messages system, as shown here:

As I explain in detail in my EMail Safety 101 Course, spammers and scammers entice recipients to perform one of several actions, any of which will benefit the sender to the detriment of the recipient. The come-on with this message was some "good samaritan" alerting me to the possibility that someone had hijacked my high-value item photos for a bogus auction. He was, in a sense, challenging the authenticity of my auction because he had supposedly seen identical photos elsewhere. I could look at the other auction by visiting the URL in the message.

As you can see, the URL starts with a numeric IP address, rather than "ebay.com." If I had visited that address with a web browser (which I did not do—I just safely viewed the source code), I would have seen a phony eBay login page, requesting my username and password. The results of that form would have been relayed via email to a Google mail account (to a username that references a Central American criminal gang no less).

If I had supplied the login information, my eBay account would have been quickly hijacked, leading to the auction winner ultimately putting funds into the crook's hands through a couple of means. The easiest way would be for the crook to suddenly come up with a new way to pay (concocting some outrageous story that would force the buyer to pay using Western Union, I presume). More crookedly, he would try to use the same eBay login credentials to access my PayPal account so that the buyer could transfer funds normally, but I would not be able to get the money—the crook would change the password to lock me out, and then do whatever it takes to get the funds sent his way. (This, by the way, is reason enough to have different login credentials for linked accounts, such as the eBay/PayPal combination—if one account gets compromised, the other doesn't necessarily follow.)

You may wonder how the original eBay message system was able to convey this phishing message to me. I can only assume that the crook was using a previously compromised (i.e., phished) account to send the message. Heaven knows what other kinds of auction fraud he is perpetrating with that account.

I'll bet this jerk was mightily pissed off when he not only didn't get my login credentials, but the auction zoomed past my reserve price in the final minutes. "No soup for you!"

(Incidentally, because this is such a high-value auction and I have not dealt with the winning buyer before, my Suspicion Radar is set to maximum gain. I am aware of most auction payment scams, so I don't yet consider this auction to be a done deal.)

After alerting eBay to the spoof and hijacked account, as well as notifying the owner of the hijacked Canadian web site being used to host the phony login page, I used the eBay My Messages system to respond to the message:

Go peddle your phish elsewhere.

UPDATE (13December2007): A little more than 24 hours after my report to eBay, I received a form letter advising me that any message I have received from that eBay account may be fraudulent. Duh. Unfortunately, the account is still showing up as active. It can be frustrating to get large companies such as eBay to act quickly on what is obvious fraudulent activity.

Posted on December 12, 2007 at 08:47 PM

SPAM WARS Our Last Best Chance To Defeat Spammers, Scammers and Hackers